1 / 46

SECURITY: THE BIG PICTURE

SECURITY: THE BIG PICTURE. Ayal Rosenberg PDEV. “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor

ince
Download Presentation

SECURITY: THE BIG PICTURE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SECURITY: THE BIG PICTURE Ayal Rosenberg PDEV

  2. “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Sun Tzu – The Art of War

  3. “A new military revolution has emerged. The revolution is essentially a Transformation from the mechanized warfare of the industrial age to the information warfare of the information age. Information warfare is a war of decisions and control, a war of knowledge, and a war of intellect. The aim of information warfare will be gradually changed from ‘preserving oneself and wiping out the enemy’ to ‘preserving oneself and controlling the opponent’. Information warfare includes electronic warfare, tactical deception, strategic deterrence, propaganda warfare, psychological warfare, network warfare and structural sabotage. Under today’s technological conditions, the ‘all conquering stratagems’ of Sun Tzu more than two millennia ago – ‘vanquishing the enemy without fighting’ and subduing the enemy by ‘soft strike’ or ‘soft destruction’ – could finally be truly realized.” Chinese Army newspaper Jiefangjun Bao – May 1996

  4. AGENDA • ATTACKS • ADVERSARIES • SECURITY NEEDS • TECHNOLOGIES • NETWORKED COMPUTER SECURITY • PROCESSES

  5. “Security is a process not a product” - Bruce Scheier

  6. AGENDA • ATTACKS • ADVERSARIES • SECURITY NEEDS • TECHNOLOGIES • NETWORKED COMPUTER SECURITY • PROCESSES

  7. ATTACKS • CRIMINAL ATTACKS • PRIVACY VIOLATIONS • PUBLICITY ATTACKS

  8. CRIMINAL ATTACKS How can I acquire the maximum financial return by attacking the system? • Fraud • Scams • Destructive Attacks • Intellectual Property Theft (Piracy) • Brand Theft

  9. PRIVACY VIOLATIONS • Targeted Attacks • Data Harvesting • Surveillance • Databases • Traffic Analysis • Massive Electronic Surveillance

  10. PUBLICITY ATTACKS How can I get famous by attacking the system? • Bad Press costs more than theft • Inform criminals who can exploit the • news • Denial of Service

  11. AGENDA • ATTACKS • ADVERSARIES • SECURITY NEEDS • TECHNOLOGIES • NETWORKED COMPUTER SECURITY • PROCESSES

  12. ADVERSARIES Crooks haven’t changed. It’s just that cyberspace is the new place for them to ply their trade. • Objectives • Access • Resources • Expertise • Risk

  13. ADVERSARIES • HACKERS • LONE CRIMINALS • MALICIOUS INSIDERS • INDUSTRIAL ESPIONAGE • PRESS • ORGANIZED CRIME • POLICE • TERRORISTS • NATIONAL INTELLIGENCE • INFO-WARRIORS

  14. AGENDA • ATTACKS • ADVERSARIES • SECURITY NEEDS • TECHNOLOGIES • NETWORKED COMPUTER SECURITY • PROCESSES

  15. SECURITY NEEDS • Privacy • Multi-Level Security • Anonymity • Authentication • Integrity • Audit • Electronic Currency • Proactive Solutions

  16. AGENDA • ATTACKS • ADVERSARIES • SECURITY NEEDS • TECHNOLOGIES • NETWORKED COMPUTER SECURITY • PROCESSES

  17. TECHNOLOGIES • CRYPTOGRAPHY • COMPUTER SECURITY • IDENTIFICATION & AUTHORIZATION

  18. CRYPTOGRAPHY A group of people use private knowledge to keep messages secret from third parties. Cryptography is not a panacea. You need more than it for security – but it is essential. You don’t have to understand the math. You do have to understand the ramifications.

  19. CRYPTOGRAPHY VULNARABILTIES • Distribution of keys • Storing of keys • Destruction of keys • Proliferation of pair-wise keys in symmetric mode • Performance degradation in asymmetric mode

  20. SYMMETRIC CRYPTOGRAPHY Receive Encrypted Message Compose Message Decrypt Message with Key Encrypt Message with key

  21. ASYMMETRIC ENCRYPTION Generate Public key and distribute Send Message Compose Message Encrypt Message with Public key Decrypt Message with Private key

  22. CRYPTOGRAPHY ATTACKS • Cipher Text Only Attack • Known Plain Text Attacks • Chosen Plain Text Attacks • Brute Force Attacks

  23. CRYPTOGRAPHY VULNARABILTIES • Distribution of keys • Storing of keys • Destruction of keys • Proliferation of pair-wise keys in symmetric mode • Performance degradation in asymmetric mode

  24. CRYPTOGRAPHY VARIATIONS • Message Authentication Codes • Symmetric Algorithms: HMAC or NMAC • One-Way Hash Functions • Secure Hash Algorithm (SHA1) • Secure Hash Standard (SHS) • RIPEMD-160 (EU) • MD5 (?) MD4 - obsolete • Digital Signatures • Public and private keys. • Sender encrypts with private and receiver decrypts with public. • Allows for non-repudiation. • Digital Signature Algorithm (DSA) • Digital Signature Standard (DSS)

  25. COMPUTER SECURITY Confidentiality !!! Stop unauthorized users from reading sensitive information. Integrity !!! Every piece of data should be as the last authorized modifier left it. Availability!! The property of being accessible and useable upon demand by an authorized entity. Access Control = Confidentiality + Integrity + Availability

  26. OS SECURITY • Security Kernels • Reference Monitor • Trusted Computing Base • Secure Kernel • OS Evaluation Criteria • C2 • ISO 15408

  27. IDENTIFICATION & AUTHENTICATION Who are you and can you prove it!! Allow authorized users in! Keep unauthorized users out!

  28. IDENTIFICATION & AUTHENTICATION • Username and Password • Username – identification • Password - proof of identification • Biometrics • Biometric came from the person at verification time • Biometric matches master on file • Access Tokens • Password for tokens -> PIN • Authentication Protocols • Cryptographic authentication over a network • Salt • Kerberos • Single Sign On • Incompatible legacy • Single point of failure

  29. KERBEROS Kerberos Server Request to logon onto Machine X Check to see if Client has permission to log on to Server X Kerberos sends ticket and session key for authentication to Client Server X issues with a long term key by Kerbros Server X validates ticket and session key with long term key Client Send authenticator and session key to Server X Use the session key to create an authenticator Server X

  30. AGENDA • ATTACKS • ADVERSARIES • SECURITY NEEDS • TECHNOLOGIES • NETWORKED COMPUTER SECURITY • PROCESSES

  31. NETWORKED COMPUTER SECURITY • MALICIOUS SOFTWARE • NETWORK SECURITY • NETWORK DEFENCES

  32. MALWARE • Payload and Propagation • Classifications • Viruses • Worms • Trojan Horses • Modular Code Problem • Isolation and Memory Safety • Access Control at the interfaces • Code Signing • Mobile Code • Web Security • SSL • Cross Site Scripting • Cookie Abuse • Web Service Scripts

  33. NETWORK SECURITY Mainly TCP/IP protocol Post office not Telephone company! • Router Vulnerability • Password Sniffing • IP Spoofing • DNS Security • Denial of Service Attacks • Distributed Denial of Service Attacks

  34. NETWORK DEFENCES • FIRE-WALLS • Attacks • Go around • Sneak key in • Take over • Types: Packet Filters & Proxy Gateways • DEMILITARIZED ZONES (DMZ) • Connect disjointed pieces of network • Connect mobile, roaming users • VIRTUAL PRIVATE NETWORKS (VPN) • Misuse detection • Anomaly detection • INTRUSION DETECTION SYSTEMS (IDSs) • HONEY POTS & ALARMS • VULNERABILITY SCANNERS

  35. AGENDA • ATTACKS • ADVERSARIES • SECURITY NEEDS • TECHNOLOGIES • NETWORKED COMPUTER SECURITY • PROCESSES

  36. “The problem is that security measures such as cryptography, secure kernels, Firewalls and everything else work much better in theory than they do in practice. In other words: Security flaws in the implementation are much more common and much more serious than security flaws in design. Design is about software reliability” - Bruce Schneier

  37. PROCESSES “Products have problems - and they are getting worse. The only reasonable thing to do is to create processes that accept this reality. We must implement these processes to get as much safety as possible.” - Bruce Schneier • PRINCIPLES • DETECTION & RESPONSE • COUNTER-ATTACK • RISK MANAGEMENT

  38. PROCESS PRINCIPLES • Compartmentalize • Secure the weakest link • Use Choke Points • In-depth Defense • Fail Securely • Leverage Unpredictability • Embrace Simplicity • “Complexity is the worst enemy if security!” • “Be as simple as possible but no simpler” - Einstein • Enlist Users • Assure • Question • Trust no one – especially yourself!!!!

  39. DETECTION & RESPONSE “Detection is more important than prevention!” • Detect Attacks • Analyze Attacks • Detection • Localization • Identification • Assessment • Respond to Attacks • Make the problem go away • Catch the Attacker • Be Vigilant • Continuous • Immediateness • Prteparedness • Watch the Watchers • Recover from Attacks • Recover from compromise

  40. COUNTER ATTACK “The best defense is attack!!!” “Attacker is a tortoise; Defender must be a fox!”

  41. RISK MANAGEMENT “There is no 100% security!” “Identify the risk then either accept it, or reduce it or insure against it.” “Security does not have to be perfect but risks have to be manageable.” “Outsource to experts!”

  42. RISK MANAGEMENT “How big is the potential loss?” “We don’t know!!” “How likely is the loss to occur?” “We don’t know.” “How much is your company worth?” “One billion rands!” “The premium will be one billion rands!”

  43. “I’ve realized that the fundamental problems in security are no longer about technology; they’re about how to use technology.” “There is no way to turn security into a product.” “It’s more and more about process.” - Bruce Schneier

  44. AGENDA • ATTACKS • ADVERSARIES • SECURITY NEEDS • TECHNOLOGIES • NETWORKED COMPUTER SECURITY • PROCESSES

More Related